Expert Advice Community

Guest

Controller/Processor and DPO

  Quote
Guest
Guest user Created:   Feb 15, 2018 Last commented:   Feb 15, 2018

Controller/Processor and DPO

Our company provides a School Information/Management System to schools worldwide. The schools determine what data they want to collect about the families/students and how they will use it in regards to the operation of the school. We develop, maintain and operate the database where all of this information is stored and accessed by numerous entities in the school and including parents. Employees from our company also access the school site to help in training, importing data into our system, and of course customer support.
0 0

Assign topic to the user

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Andrei Hanganu Feb 15, 2018
Normally most schools collect, names, addresses, birthdays, sex, race, religion, phone numbers, etc. This is not dictated by us, but is relevant to any reporting the school needs to do.
1. Controller/Processor: We are fairly confident that we will need to assume the role of controller and processor.
2. DPO - Again, we believe we will need a DPO or need to assign someone in the company the responsibility of overseeing our GDPR compliance. We have based this decision on the fact that student information saved in our da tabase can be processed by the schools in the form of reports for internal and external purposes.
Based on the information I have included would you agree?

Answer:

For your first questions you cannot be processor and controller for the same processing activity. From the description it seems to me that for the processing activity you mentioned you are a processor and the schools are the controllers because they are the ones deciding the means and purposes for the processing while you are just providing the system which they use.

As for your second question, especially because most of the personal data belongs to minors and because you are also processing sensitive personal data such as religion I would advise you to appoint a DPO.

You can find out more about the tasks of DPO in out article “The role of the DPO in light of the General Data Protection Regulation” https://advisera.com/eugdpracademy/knowledgebase/the-role-of-the-dpo-in-light-of-the-general-data-protection-regulation/

I also invite you to go through our online training GRPR Foundations Course https://training.advisera.com/se/eu-gdpr-foundations-course//
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Feb 15, 2018

Feb 15, 2018

Suggested Topics

Dana Created:   Jan 22, 2023 EU GDPR
Replies: 1
0 0

Controller and Processor

wasima Created:   Jan 22, 2023 EU GDPR
Replies: 1
0 0

Data subject Rights

Guest user Created:   Jan 19, 2023 EU GDPR
Replies: 1
0 0

GDPR in Sweden